W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > May 2008

Re: Best Practices process

From: Pratik Datta <pratik.datta@oracle.com>
Date: Tue, 13 May 2008 10:57:31 -0700
Message-ID: <4829D68B.7040406@oracle.com>
To: Sean Mullan <Sean.Mullan@Sun.COM>
CC: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>, Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec XMLSec <public-xmlsec-maintwg@w3.org>

There could be an xml:id or a wsu:Id (in case it is part of web services)
I didn't notice that RetrievalMethod doesn't have an ID. In our 
implementation we consider any attribute named "Id" that is a child of 
an element in the dsig or xenc namespace, to be ID attribute.
Also there could be Xpath tranform pointing to the RetrievalMethod.

In the retrieval method processing, we dereference the ID, execute the 
transforms, and result of that should be a KeyInfoData.  Now 
RetrievalMethod is also a KeyInfoData. So RetrievalMethod can point to 
another RetrievalMethod which can point to yet another and so on.  And 
this could form a cycle.


Sean Mullan wrote:
> Hi Pratik,
> Pratik Datta wrote:
>> 2.2  Reduce opportunities for denial of Service attacks
>>   Best Practice 5 Avoid RetrievalMethod
>>  RetrievalMethods can have bad transforms, external references and 
>> infinite loops.
>>  Example of Retrieval methods with infinite loop :
>> <RetrievalMethod Id="rm" URI="#rm"/>
>> Infinite loops can also happen with a circular chain of 
>> RetrievalMethods .
> RetrievalMethods don't have an ID attribute. Even so, I'm not sure how 
> you can get an infinite loop - can you explain that?
> --Sean
Received on Tuesday, 13 May 2008 17:58:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:58:44 UTC